UAE Mobile Provider Installs Spyware on Customers' Blackberries

Wired and Silicon Valley have reported that a mobile telephony provider in the United Arab Emirates installed spyware on the Blackberries of subscribers to its services. Blackberry users were prompted to download a software update. Once the update was installed, however, users complained that their device’s performance was adversely impacted and that their batteries were quickly exhausted. As it turned out, the update had the device contact a certain server for registration. The high number of devices which attempted to connect to the server simultaneously caused the server to crash. As each Blackberry regularly tried to contact the server after the initial failure, this action quickly used up the device’s battery levels.

Code analysts reported that the update included code to permit surveillance of the Blackberry’s contents and communications, although this feature was deactivated upon initial download. The code was evidently written by US-based company SS8, which provides surveillance solutions to telecommunications providers as well as products for intelligence and law enforcement. As reported on Wired, analysis by the company Veracode suggested that the installation of the surveillance software on the user’s handheld device, as opposed to relying on surveillance at the server level, would prevent the use of messaging encryption from frustrating attempts to examine communications being sent from and received by the device. Rather than intercepting messages en transit over the server, the code would have the device deliver copies of the content stored there to a special server. These copies would be in unencrypted form since they would be either generated prior to the application of encryption in the case of sent messages, or have been decrypted by the user’s key in the case of received messages.